Data Processing Addendum
Data Processing Addendum
This Data Processing Addendum (”DPA”), forming part of the Compa SaaS Customer Agreement (“Principal Agreement”), is made and entered into as of ______, 20__ (the “Effective Date”), by and between Compa Technologies, Inc., a Delaware corporation, with offices 17630 Santa Cristobal St., Fountain Valley, CA 92708 (“Compa”) and [___________________] (the “Customer”), a Delaware corporation, with its principal place of business at 650 California St, 7th Floor, Suite 105, San Francisco, CA 94108.
(each a “Party” and together, “Parties”)
WHEREAS
(A) The Customer acts as a Data Controller.
(B) Compa acts as Data Processor.
(C) The Customer wishes to contract certain Services as set forth in the Principal Agreement, which imply the processing of personal data by the Data Processor. Further details of the Processing are set out in Schedule 1 to this DPA.
(D) The Parties seek to implement a data processing agreement that complies with the requirements of the current legal framework in relation to data processing and with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
(E) The Parties wish to lay down their rights and obligations.
IT IS AGREED AS FOLLOWS:
1. DEFINITIONS. Capitalized terms shall have the meaning set forth in this Section 1 or as otherwise defined in other sections of this DPA. If not defined, Capitalized terms shall have the same meaning set forth in the Principal Agreement or the GDPR, as applicable:
1.1 “DPA” means this Data Processing Agreement and all Schedules.
1.2 “Customer Personal Data” means any Personal Data Processed by a Contracted Processor on behalf of Customer pursuant to or in connection with the Principal Agreement, including Personal Data provided as Customer Data as defined in the Principal Agreement.
1.3 “Contracted Processor” means Compa and any Subprocessor.
1.4 “Data Protection Laws” means all data protection legislation and regulations applicable to the processing of the Customer Personal Data under this DPA and the Principal Agreement, including Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data (“GDPR”) and supplementing national legislation, in each case as may be amended, repealed, consolidated, or replaced from time to time.
1.5 “EEA” means the European Economic Area.
1.6 “GDPR” has the meaning set forth in the definition of Data Protection Laws.
1.7 “Data Transfer” means:
(a) a transfer of Customer Personal Data from the Customer to Compa; or
(b) an onward transfer of Customer Personal Data from Compa to a Subprocessor.
1.8“Services” means the services the Customer is provided pursuant to the Principal Agreement.
1.9 “Subprocessor” means any person appointed by or on behalf of Data Processor to process Customer Personal Data on behalf of the Customer in connection with the DPA.
2. PROCESSING OF CUSTOMER PERSONAL DATA.
2.1 Compa, as Data Processor:
(a) shall comply with all applicable Data Protection Laws in the Processing of Customer Personal Data; and
(b) shall not Process Customer Personal Data other than on the relevant Customer’s documented instructions, including the Principal Agreement, unless Compa reasonably believes that such documented instructions are unlawful or infringe applicable Data Protection Laws. In the case of Compa believing that the Customer’s documented instructions are unlawful or infringe applicable Data Protection Laws, Compa shall immediately inform the Customer of such belief.
2.2 Compa intends to process and store Customer Personal Data in the United States, but reserves the right to lawfully process and store data elsewhere, to the extent permitted under the Principal Agreement and this DPA.
3. DATA PROCESSOR PERSONNEL. Compa shall take commercially reasonable steps to ensure that any employee, agent, or contractor of Compa, who may have access to the Customer Personal Data, are subject to confidentiality undertakings or statutory obligations of confidentiality, ensuring in each case that access is limited to those individuals who need to know or access the relevant Customer Personal Data, as necessary for the purposes of the Principal Agreement.
4. SECURITY. Taking into account the state of the art, the costs of implementation and the nature, scope, context, and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Compa shall in relation to the Customer Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures listed in Article 32(1) of the GDPR.
5. SUBPROCESSING.
5.1 The Customer generally agrees that Compa may engage Subprocessors (as well as advisors, contractors, and auditors) to Process Customer Personal Data. The Customer authorizes Compa to appoint (and permit each Subprocessor appointed in accordance with this Section 5 to appoint) Subprocessors in accordance with this Section 5 and any restrictions in the Principal Agreement.
5.2 Compa may continue to use those Subprocessors already engaged by Compa as at the date of this DPA (as listed at Schedule 2 to this DPA).
5.3 Notwithstanding Sections 3.2 and 3.3 of the Principal Agreement, if Compa engages a new Subprocessor, Compa shall inform the Customer of the engagement by sending an email notification to the Customer and the Customer may object to the engagement of such new Subprocessor by notifying Compa within 7 (seven) days of Compa’s email, provided that such notification must be on reasonable grounds, directly related to the new Subprocessor’s ability to comply with substantially similar obligations to those set out in this DPA. If the Customer does not object within the specified time period, the engagement of the new Subprocessor shall be deemed accepted by the Customer.
5.4 With respect to each Subprocessor (which, for the purposes of this Section 5.4 includes new Subprocessors engaged in accordance with Section 5.3), Compa shall ensure that the arrangement between Compa and the relevant Subprocessor is governed by a written contract including terms that offer at least the same level of protection for Customer Personal data as those set out in this DPA and meet the requirements of Article 28(3) of the GDPR.
6. DATA SUBJECT RIGHTS.
6.1 Taking into account the nature of the Processing, Compa shall assist the Customer by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Customer’s obligations, as reasonably understood by Customer, to respond to requests to exercise Data Subject rights under the Data Protection Laws.
6.2 Compa shall:
(a) promptly notify Customer if it receives a request from a Data Subject under any Data Protection Law in respect of Customer Personal Data; and
(b) ensure that it does not respond to that request except on the documented instructions of Customer or as required by applicable laws to which Compa is subject, in which case Compa shall to the extent permitted by applicable laws inform Customer of that legal requirement before Compa responds to the request.
7. PERSONAL DATA BREACH AND NOTIFICATION.
7.1 Compa shall notify Customer without undue delay upon Compa becoming aware of a Personal Data Breach affecting Customer Personal Data, providing Customer with sufficient information to allow the Customer to meet any obligations to notify, report, or inform Data Subjects and Supervisory Authorities of the Personal Data Breach under the Data Protection Laws.
7.2 Compa shall co-operate with the Customer and take reasonable commercial steps as are directed by Customer to assist in the investigation, mitigation, and remediation of each such Personal Data Breach.
8. DATA PROTECTION IMPACT ASSESSMENT AND PRIOR CONSULTATION. Compa shall provide reasonable assistance to the Customer with any data protection impact assessments, and prior consultations with Supervisory Authorities or other competent data privacy authorities, which Customer reasonably considers to be required by Articles 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Customer Personal Data by, and taking into account the nature of the processing and information available to, the Contracted Processors.
9. DELETION OR RETURN OF CUSTOMER PERSONAL DATA. Subject to this Section 9, Compa shall promptly and in any event within 90 days of the date of cessation of any Services involving the processing of Customer Personal Data, delete and procure the deletion of all copies of the Customer Personal Data or return all Customer Personal Data to the Customer, at the Customer’s choice.
10. AUDIT RIGHTS.
10.1 Subject to this Section 10, Compa shall make available to the Customer on request reasonable information necessary to demonstrate compliance with this DPA, and shall allow for and contribute to audits, including inspections, by the Customer or an auditor mandated by the Customer in relation to the Processing of the Customer Personal Data by the Contracted Processors. A Customer may only mandate an auditor for the purposes of this Section 10.1 if the auditor is reasonably agreed to by Compa.
10.2 Information and audit rights of the Customer only arise under Section 10.1 to the extent that the DPA does not otherwise give them information and audit rights meeting the relevant requirements of Data Protection Law.
10.3 Customer shall give Compa reasonable advance notice of any audit or inspection to be conducted under Section 10.1 and shall make (and ensure that each of its mandated auditors makes) reasonable endeavors to avoid causing (or, if it cannot avoid, to minimize) any damage, injury, or disruption to Compa’s premises, equipment, personnel, and business while its personnel are on those premises in the course of such an audit or inspection. Compa need not give access to its premises for the purposes of such an audit or inspection:
(a) to any individual unless he or she produces reasonable evidence of identity and authority;
(b) outside normal business hours at those premises, unless the audit or inspection needs to be conducted on an emergency basis and Customer undertaking an audit has given notice to Compa that this is the case before attendance outside those hours begins;
(c) for the purposes of more than one audit or inspection, in respect of Compa, in any calendar year, except for any additional audits or inspections which:
(i) Customer reasonably considers necessary because of genuine concerns as to Compa’s compliance with this DPA; or
(ii) Customer is required to carry out by Data Protection Law, a Supervisory Authority, or any similar regulatory authority responsible for the enforcement of Data Protection Laws in any country or territory, where the Customer has identified its concerns or the relevant requirement or request in its notice to Compa of the audit or inspection; or
(d) to a third party who is performing the audit on behalf of the Customer, unless such third party auditor executes a confidentiality agreement acceptable to Compa before the audit.
10.4 Customer shall reimburse Compa for any time expended for any such on-site audit, if applicable, at Compa’s then-current professional services rate, which shall be made available to Customer upon request. Before commencement of any such on-site audit; Customer and Compa shall mutually agree on the scope, timing, and duration of the audit in addition to the reimbursement rate for which Customer shall be responsible. All reimbursement rates shall be reasonable, taking into account the resources expended by Compa. Customer shall promptly notify Compa with information regarding any non-compliance during the course of an audit.
10.5 The Customer must provide Compa with any audit reports generated in connection with any audit at no charge unless prohibited by applicable law. The Customer may use audit reports only for the purposes of meeting its audit requirements under the Data Protection laws and/or confirming compliance with the requirements of this DPA. The audit reports shall be confidential.
10.6 Nothing in this Section 10 shall require Compa to breach any confidentiality owed to any of its clients, employees, or Subprocessors.
11. DATA TRANSFER. For those Data Transfers not based on an adequacy decision, as defined in Article 45 of the GDPR, or otherwise subject to appropriate safeguards or a derogation, under Articles 46 and 49 of the GDPR, respectively, the restricted transfers shall be subject to the Standard Contractual Clauses attached hereto as Schedule 3, and Compa may transfer or authorize the Data Transfer to countries outside the EU and/or the EEA consistent with those Standard Contractual Clauses.
12. MISCELLANEOUS.
Notices. All notices and communications given under this DPA shall be made in accordance with Section 13.6 of the Principal Agreement.
12.2 Liability and Indemnification. The liability of each party to this DPA, arising out of or related to this DPA, whether in contract, tort or under any other theory of liability, shall be subject to the limitations or exclusions of liability set out in Section 12 of the Principal Agreement entitled “Limitation of Liability.” Furthermore, the terms of indemnification by both Parties shall be governed by Section 9 of the Principal Agreement entitled “Indemnification” as appropriate.
12.3 Order of Precedence. In the event of inconsistencies between the provisions of this DPA and any other agreements between the Parties, including the Principal Agreement and agreements entered into or purported to be entered into after the date of this DPA (except where explicitly agreed otherwise in writing, signed on behalf of the parties), the provisions of this DPA shall prevail. In the event of any conflict or inconsistency between this DPA and the Standard Contractual Clauses set forth in Schedule 3, the Standard Contractual Clauses shall prevail.
12.4 Governing Law. Notwithstanding Sections 7 and 9 of the Standard Contractual Clauses, this DPA is governed by the laws of the country or territory stipulated for this purpose in Section 13.10 of the Principal Agreement.
12.5 Term and Termination. The term of this DPA shall commence on the Effective Date of this DPA and shall be coterminous with the Principal Agreement in accordance with Section 7 of the Principal Agreement.
12.6 Amendment. This DPA is subject to the applicable terms for amendment set forth in Section 13.7 of the Principal Agreement.
IN WITNESS WHEREOF, the parties hereto hereby execute this DPA effective as of the Effective Date.
[CUSTOMER] Compa Technologies, Inc.
By: By:
Name: Name:
Title: Title:
SCHEDULE 1 - DETAILS OF THE PROCESSING
This Schedule includes certain details of the processing of Customer Personal Data as required by Article 28(3) GDPR.
Subject matter and duration of the processing of Customer Personal Data
The subject matter and duration of the processing of the Customer Personal Data are set out in the Principal Agreement and this DPA.
The nature and purpose of processing of Customer Personal Data
Compa will process Customer Personal Data as necessary to perform the Services under the Principal Agreement, as further specified in the applicable Project Addendum or Statements of Work, and as further instructed by the Customer in the use of the Services.
The types of Customer Personal Data to be processed
Customer may submit Customer Personal Data to Compa for the provision of the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to the following categories of Personal Data:
- First and last name
- Title
- Position
- Employer
- Client ID
- Physical addresses
- Geolocation
- Contact information (company, email, phone, physical business address)
The categories of Data Subject to whom the Customer Personal Data relates
Customer may submit Personal Data to Compa for the provision of the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of data subjects:
- Customer’s Users authorized by Customer to use the Services
- Employees, agents, advisors, freelancers of Customer (who are natural persons)
- Candidates and prospective candidates of Customer
The obligations and rights of the Customer
The obligations and rights of the Customer are set out in the Principal Agreement and this DPA.
SCHEDULE 2 – APPROVED SUBPROCESSORS
Entity Name
Subprocessing Activity
Entity Country
Amazon Web Services
Cloud service provider
United States
Google Workspace
Data room
United States
Mixpanel
Cloud-based Analytics
United States
Secureframe
Security scanning
United States
WorkOS
SSO infrastructure
United States
Textkernel
Job description parsing
United States
Sentry
Cloud-based logging
United States
SCHEDULE 3 – STANDARD CONTRACTUAL CLAUSES
For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection
Name of the data exporting organization: [Customer name]
Address: 650 California St, 7th Floor, Suite 105, San Francisco, CA 94108
Tel. ...............................;. fax ;. e-mail:
Other information needed to identify the organization
(the data exporter)
And
Name of the data importing organization: Compa Technologies, Inc.
Address: 17630 Santa Cristobal St, Fountain Valley, CA 92708
Tel. ................................;. fax ..............................;. e-mail:
Other information needed to identify the organization:
(the data importer)
each a ‘party’; together ‘the parties’,
HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.
Clause 1
Definitions
For the purposes of the Clauses:
(a) ‘personal data’, ‘special categories of data’, ‘process/processing’, ‘controller’, ‘processor’, ‘data subject’ and ‘supervisory authority’ shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;
(b) ‘the data exporter’ means the controller who transfers the personal data;
(c) ‘the data importer’ means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;
(d) ‘the sub-processor’ means any processor engaged by the data importer or by any other sub-processor of the data importer who agrees to receive from the data importer or from any other sub-processor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;
(e) ‘the applicable data protection law’ means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;
(f) ‘technical and organizational security measures’ means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.
Clause 2
Details of the transfer
The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.
Clause 3
(c) Third-party beneficiary clause
- The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.
- The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.
- The data subject can enforce against the sub-processor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the sub- processor shall be limited to its own processing operations under the Clauses.
- The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.
Clause 4
Obligations of the data exporter
The data exporter agrees and warrants:
(a) that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;
(b) that it has instructed and throughout the duration of the personal data-processing services will instruct the data importer to process the personal data transferred only on the data exporter’s behalf and in accordance with the applicable data protection law and the Clauses;
(c) that the data importer will provide sufficient guarantees in respect of the technical and organizational security measures specified in Appendix 2 to this contract;
(d) that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;
(e) that it will ensure compliance with the security measures;
(f) that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;
(g) to forward any notification received from the data importer or any sub-processor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;
(h) to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for sub-processing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;
(i) that, in the event of sub-processing, the processing activity is carried out in accordance with Clause 11 by a sub- processor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and
(j) that it will ensure compliance with Clause 4(a) to (i).
Clause 5
Obligations of the data importer
The data importer agrees and warrants:
(a) to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
(b) that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
(c) that it has implemented the technical and organizational security measures specified in Appendix 2 before processing the personal data transferred;
(d) that it will promptly notify the data exporter about:
(e) any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation;
(f) any accidental or unauthorized access; and
(g) any request received directly from the data subjects without responding to that request, unless it has been otherwise authorised to do so;
(h) to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;
(i) at the request of the data exporter to submit its data-processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;
(j) to make available to the data subject upon request a copy of the Clauses, or any existing contract for sub-processing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;
(k) that, in the event of sub-processing, it has previously informed the data exporter and obtained its prior written consent;
(l) that the processing services by the sub-processor will be carried out in accordance with Clause 11;
(m) to send promptly a copy of any sub-processor agreement it concludes under the Clauses to the data exporter.
Clause 6
Liability
1. The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or sub-processor is entitled to receive compensation from the data exporter for the damage suffered.
2. If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his sub-processor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity. The data importer may not rely on a breach by a sub-processor of its obligations in order to avoid its own liabilities.
3. If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the sub-processor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the sub-processor agrees that the data subject may issue a claim against the data sub-processor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the sub-processor shall be limited to its own processing operations under the Clauses.
Clause 7
Mediation and jurisdiction
1. The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:
(a) to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;
(b) to refer the dispute to the courts in the Member State in which the data exporter is established.
2. The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.
Clause 8
Cooperation with supervisory authorities
1. The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.
2. The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any sub-processor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.
3. The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any sub-processor preventing the conduct of an audit of the data importer, or any sub-processor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5(b).
Clause 9
Governing law
The Clauses shall be governed by the law of the Member State in which the data exporter is established, namely ................................................................................................................................................................................................................
Clause 10
Variation of the contract
The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.
Clause 11
Sub-processing
- The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the sub-processor which imposes the same obligations on the sub-processor as are imposed on the data importer under the Clauses. Where the sub-processor fails to fulfill its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the sub-processor’s obligations under such agreement.
- The prior written contract between the data importer and the sub-processor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the sub-processor shall be limited to its own processing operations under the Clauses.
- The provisions relating to data protection aspects for sub-processing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established, namely ...........................................
- The data exporter shall keep a list of sub-processing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5(j), which shall be updated at least once a year. The list shall be available to the data exporter’s data protection supervisory authority.
Clause 12
Obligation after the termination of personal data-processing services
- The parties agree that on the termination of the provision of data-processing services, the data importer and the sub-processor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.
- The data importer and the sub-processor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data-processing facilities for an audit of the measures referred to in paragraph 1.
On behalf of the data exporter:
Name (written out in full): ...........................................................................................................................................................................
Position: .............................................................................................................................................................................................................
Address: .................................................................................................................................................................................................................
Other information necessary in order for the contract to be binding (if any):
Signature ............................................................................................
(stamp of organization)
On behalf of the data importer:
Name (written out in full): ...........................................................................................................................................................................
Position: .............................................................................................................................................................................................................
Address: .................................................................................................................................................................................................................
Other information necessary in order for the contract to be binding (if any):
Signature ............................................................................................
(stamp of organization)
Appendix 1
(a) to the Standard Contractual Clauses
This Appendix forms part of the Clauses and must be completed and signed by the parties
The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix
(b) Data exporter
The data exporter is (please specify briefly your activities relevant to the transfer):
(c) Data importer
The data importer is (please specify briefly activities relevant to the transfer):
(d) Data subjects
The personal data transferred concern the following categories of data subjects (please specify):
(e) Categories of data
The personal data transferred concern the following categories of data (please specify):
(f) Special categories of data (if appropriate)
The personal data transferred concern the following special categories of data (please specify):
(g) Processing operations
The personal data transferred will be subject to the following basic processing activities (please specify):
DATA EXPORTER
Name: ....................................................................................................................
Authorized Signature ...........................................................................................
DATA IMPORTER
Name: ....................................................................................................................
Authorized Signature ...........................................................................................
Appendix 2
to the Standard Contractual Clauses
This Appendix forms part of the Clauses and must be completed and signed by the parties.
Description of the technical and organizational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):
California Addendum
California Service Provider Addendum
This California Service Provider Addendum (this “Addendum”) is attached to and made a part of the Compa SaaS Customer Agreement between Compa Technologies, Inc. (“Compa”) and [_____________] (“Business”) dated [________], as amended, supplemented, or otherwise modified by Compa and Business (the “Agreement”). Capitalized terms used in this Addendum but not defined herein will have the same meaning as in the Agreement. If there is any inconsistency between the terms of this Addendum and the Agreement relating to data protection or Personal Information, the terms of this Addendum shall prevail. This Addendum shall continue in force until the termination of the Agreement.
This Addendum sets forth the requirements for the processing by Compa of the Personal Information of Consumers pursuant to the Agreement.
1. Definitions
1.1 “Aggregate Consumer Information” has the meaning provided in Section 1798.140(a) of the California Civil Code.
1.2 “California Consumer Privacy Act” means Sections 1798.100 et seq. of the California Civil Code.
1.3 “Commercial Purpose” has the meaning provided in Section 1798.140(f) of the California Civil Code.
1.4 “Consumer” has the meaning provided in Section 1798.140(g) of the California Civil Code.
1.5 “Deidentified” has the meaning provided in Section 1798.140(h) of the California Civil Code.
1.6 “Personal Information” has the meaning provided in Section 1798.140(o) of the California Civil Code.
1.7 “Sale” or “Sell” has the meaning provided in Section 1798.140(t) of the California Civil Code.
2. Representations and Warranties
2.1 Compa represents and warrants that it is a “service provider,” for the purposes of the services it provides to Business pursuant to the Agreement, according to the meaning given to that term in Section 1798.140(v) of the California Civil Code.
2.2 Business represents and warrants that Compa processes Personal Information on Business’s behalf and that it alone, or jointly with others, determines the purposes and means of processing Consumer Personal Information subject to the Agreement.
2.3 Compa represents and warrants that, to the extent that Business discloses Consumer Personal Information to Compa, Compa will process that Personal Information only on behalf of Business pursuant to the Agreement and this Addendum.
3. Compa’s Processing of Personal Information of Consumers as a Service Provider
3.1 Business shall not Sell Consumer Personal Information for any reason, except as otherwise permitted by the California Consumer Privacy Act.
3.2 Business shall not process, retain, use, or disclose Consumer Personal Information for any purpose other than for the specific purpose of performing the services specified in the Agreement, except as otherwise permitted by the California Consumer Privacy Act.
3.3 Business shall not process, retain, use, or disclose Consumer Personal Information for an impermissible Commercial Purpose, except as otherwise permitted by the California Consumer Privacy Act.
3.4 Business shall not retain, use, or disclose Consumer Personal Information outside of the direct business relationship between Business and Compa, except as otherwise permitted by the California Consumer Privacy Act.
3.5 Business certifies that it understands the restrictions listed in Sections 3.1, 3.2, 3.3, and 3.4 of this Addendum and will comply with them.
4. Deidentified and Aggregated Information
4.1 Business agrees that Compa has the right to deidentify and aggregate Consumer Personal Information subject to the Agreement.
4.2 Compa agrees to comply with all of the requirements in the California Consumer Privacy Act relating to Deidentified information and Aggregate Consumer Information.
5. Consumer Requests
5.1 Compa shall provide to Business any Consumer requests to exercise rights under the California Consumer Privacy Act, received directly by Compa relating to Business Consumer within a reasonable time period upon receiving such a request.
5.2 Upon written request from Business, Compa shall delete a Consumer’s Personal Information from its systems within 30 business days.
__________________________ ___________________________
On behalf of Compa On behalf of Business
__________________________ ____________________________
Date Date
Privacy Policy
This Privacy Policy (“Policy”) describes how Compa Technologies Inc. (“Compa,” “we,” “our,” “us”) collects, processes, uses, and discloses certain information obtained through your use of our website (the “Site”), which is available at https://www.trycompa.com/legal/privacy-policy, as well as information that we collect offline and in other contexts (collectively with the Site, the “Services”).
Information We Collect and Maintain About You
We collect information from you directly when you provide it to us through the Services. We further automatically collect certain information about you and your smartphone or other device when you use, access, or interact with our Services.
Personal information provided directly by you through the Site. When you make an account with us or use other features on the Site (such as apply for a job with us), we may collect your personal information, including the following categories of information:
- Full name
- The password you create for your account
- Email address
- Phone number
- Organization name
- Information about the types of candidates you wish to pursue
Personal information about applicants. Through our Services, we collect information from our customers about applicants they are assessing. We may collect the following categories of information about applicants:
- Full name
- Contact information (email address and phone number)
- Education history
- Employment history
- Any other personal information you provide in your resume, cover letter, or application
Server logs. Server logs automatically record information and details about your online interactions with us. For example, server logs may record information about your visit to our Site on a particular time and day and collect information such as your device ID or IP address.
Cookies. We also use cookies on the Site. Cookies are small files that are stored on your mobile device through the Site. A cookie allows the Site to recognize whether you have visited before and may store user preferences and other information. For example, cookies can be used to collect or store information about your use of the Site during your current session and over time (including the pages you view and the files you download), your device’s operating system, your device ID, IP address, and your general geographic location.
Pixel tags. A pixel tag (also known as a web beacon, clear GIF, pixel, or tag) is an image or a small string of code that may be placed in an advertisement or email. It allows companies to set or read cookies or transfer information to their servers when you load a webpage or interact with online content. For example, we or our service providers may use pixel tags to determine whether you have interacted with a specific part of our Services, viewed a particular advertisement, or opened a specific email.
SDKs and mobile advertising IDs. Our Services may include third-party software development kits (“SDKs”) that allow us and our service providers to collect information about your activity. In addition, some mobile devices come with a resettable advertising ID (such as Apple’s IDFA and Google’s Advertising ID) that, like cookies and pixel tags, allow us and our service providers to identify your mobile device over time for advertising purposes.
Third-party plugins. Our Site may include plugins from other companies, including social media companies (e.g., the Facebook “Like” button). These plugins may collect information, such as information about the pages you visit, and share it with the company that created the plugin even if you do not click on the plugin. These third-party plugins are governed by the privacy policies and terms of the companies that created them.
Third-party online tracking. We also may partner with certain third parties to collect, analyze, and use some of the personal and other information described in this section. For example, we may allow third parties to set pixels and mobile advertising IDs through the Site. This information may be used for a variety of purposes, including analytics and interest-based advertising, as discussed below (see the section entitled “With Whom and Why We Share Your Information”).
Aggregated or deidentified information. We may also share aggregated or deidentified information about users of the Services, such as by publishing a report on trends in the usage of the Services. Such aggregated or deidentified information will not identify you personally.
How We Use Your Information
We use the information that we collect for a variety of purposes. Our legal bases for processing your personal information are: 1) our legitimate interest in running and maintaining our business; 2) performance and fulfillment of our contracts; 3) your consent; and 4) compliance with our legal obligations. In many instances, more than one of these legal bases apply to the processing of your personal information.
The purposes for which we use your information include to:
- Provide you with our Services;
- Respond to your questions or requests concerning the Services;
- Fulfill the terms of any agreement you have with us;
- Fulfill your requests for our Services or otherwise complete a transaction that you initiate;
- Send you information about our Services and other topics that are likely to be of interest to you, including newsletters, updates, or other communications, including promotional emails;
- Improve our artificial intelligence and machine learning;
- Deliver confirmations, account information, notifications, and similar operational communications;
- Improve your user experience and the quality of our products and Services;
- Improve automated insights delivered to you while using our Services;
- Comply with legal and/or regulatory requirements;
- Aggregate and deidentify information;
- Serve advertisements;
- Analyze how visitors use the Services and various Services features, including to count and recognize visitors to the Services;
- Create new products and Services; and
- Manage our business.
With Whom and Why We Share Your Information
We share your information with third parties for a variety of purposes, as described below.
Third-party service providers. Compa uses third-party service providers that perform Services on our behalf, including web-hosting companies, and mailing vendors. These service providers may collect and/or use your information, including information that identifies you personally, to assist us in achieving the purposes discussed above.
We may also share your information with third parties when necessary to fulfill your requests for Services; to complete a transaction that you initiate; to meet the terms of any agreement that you have with us or our partners; or to manage our business.
Analytics. We partner with certain third parties to obtain the automatically collected information discussed above and to engage in analysis, auditing, research, and reporting. These third parties may use pixels or server logs, and they may set and access device IDs and IP addresses from your device.
Interest-based Advertising. The Services also enable third-party tracking mechanisms to collect information about you and your computing devices for use in online interest-based advertising. For example, third parties, such as Facebook, may use the fact that you visited our Site to target online ads to you about our Services. In addition, our third-party advertising networks might use information about your use of our Services to help target advertisements based on your mobile activity in general. For information about interest-based advertising practices, including privacy and confidentiality, visit the Network Advertising Initiative website or the Digital Advertising Alliance website.
The use of online tracking mechanisms by third parties is subject to those third parties’ own privacy policies, and not this Policy. If you prefer to prevent third parties from setting and accessing cookies on your computer or other device, you may set your browser to block cookies. Additionally, you may remove yourself from the targeted advertising of companies within the Network Advertising Initiative by opting out here, or of companies participating in the Digital Advertising Alliance by opting out here. Although our Site currently does not respond to “do not track” browser headers, you can limit tracking through these third-party programs and by taking the other steps discussed above.
You may also opt-out of interest-based by adjusting the advertising preferences on your mobile device (for example, in iOS, visit Settings > Privacy > Advertising > Limit Ad Tracking, and in Android, visit Settings > Google > Ads > Opt out of interest-based ads). Additionally, you may opt out for companies that participate in the Digital Advertising Alliance's AppChoices tool by downloading it here and following the instructions in the app.
Legal purposes. We also may use or share your information with third parties when we believe, in our sole discretion, that doing so is necessary:
- To comply with applicable law or a court order, subpoena, or other legal process;
- To investigate, prevent, or take action regarding illegal activities, suspected fraud, violations of our terms and conditions, or situations involving threats to our property or the property or physical safety of any person or third party;
- To establish, protect, or exercise our legal rights or defend against legal claims; or
- To facilitate the financing, securitization, insuring, sale, assignment, bankruptcy, or other disposal of all or part of our business or assets.
Your Choices
If you wish to access, correct, or delete the personal information we have on file, you may contact us at privacy@trycompa.com.
If you wish to opt-out of marketing emails you receive from us, you may do so by following the instructions in those emails or by contacting us at privacy@trycompa.com.
International Users
If you are a resident of the EU, UK, or another jurisdiction with an applicable privacy law, you may have certain rights available to you. These rights may include:
- The right to be informed about our data collection practices;
- The right to access and rectify your data;
- The right to erase or delete your data;
- The right to data portability;
- The right to restrict and object to the processing of your data (including for direct marketing purposes);
- The right to opt-out of marketing emails and text messages;
- The right to limit our use of any automated decision-making processes;
- The right to lodge a complaint to your local data protection authority; and
- The right to withdraw consent (to the extent applicable).
To exercise any of the rights listed above, please contact us via email at team@trycompa.com. We will respond to your request as soon as reasonably possible but no longer than 30 days.
External Links
The Site may contain links to third-party websites. If you use these links, you will leave the Site. We have not reviewed these third-party sites and do not control and are not responsible for any of these sites, their content, or their privacy policy. Thus, we do not endorse or make any representations about them, or any information, software, or other products or materials found there, or any results that may be obtained from using them. If you decide to access any of the third-party sites listed on our website, you do so at your own risk.
Data Security
We employ physical, technical, and administrative procedures to safeguard the personal information we collect both online and offline. However, no website or platform is 100% secure, and we cannot ensure or warrant the security of any information you transmit to the Services or to us, and you transmit such information at your own risk.
For questions about information security, please contact us at security@trycompa.com.
Data Retention
We retain personal information about you necessary to fulfill the purpose for which that information was collected or as required or permitted by law. We do not retain personal information longer than is necessary for us to achieve the purposes for which we collected it. When we destroy your personal information, we do so in a way that prevents that information from being restored or reconstructed.
International Users
The information that we collect through or in connection with the Services is transferred to and processed in the United States for the purposes described above. We may also subcontract the processing of your data to, or otherwise share your data with, affiliates or third parties in countries other than your country of residence. The data-protection laws in these countries may be different from, and less stringent than, those in your country of residence. However, we comply with all applicable laws regarding international data transfers.
By using the Services or by providing any information to us, you expressly consent to such transfer and processing.
Children
Content on this Services is directed at individuals over the age of 18 and is not directed at children under the age of 13. We do not knowingly collect personally identifiable information from children under the age of 13.
Changes to this Policy
We may make changes to the Services in the future and as a consequence will need to revise this Policy to reflect those changes. We will post all such changes on the Services, so you should review this page periodically.
How to Contact Us
Should you have any questions or concerns about this Policy, you can contact us at by email at privacy@trycompa.com.
Cookie Policy
This Cookie Policy (“Policy”) describes how Compa Technologies Inc. (“Compa,” “we,” “our,” “us”) collects, processes, uses, and discloses certain information obtained through your use of our website (the “Site”), which is available at https://www.trycompa.com. To learn more about our privacy practices in general, please review our Privacy Policy.
What are cookies?
Cookies are small files that are stored on your mobile device through the Site. A cookie allows the Site to recognize whether you have visited before and may store user preferences and other information. For example, cookies can be used to collect or store information about your use of the Site during your current session and over time (including the pages you view and the files you download), your device’s operating system, your device ID, IP address, and your general geographic location.
What types of cookies do we use?
Necessary Cookies. Necessary cookies allow us to offer the best possible experience when accessing and navigating through our Site. For example, these cookies allow us to recognize that you have created an account with us and accessed the Site previously.
Functionality Cookies. Functionality cookies let us operate the Site in accordance with the choices you make. For example, we will remember your username and how you customized the Site during future visits.
Analytical Cookies. These cookies enable us and third-party services to collect aggregated data for statistical purposes on how your visitors use the Site. These cookies do not collect information such as your name or email address and are used to help us improve your user experience of the Site.
Advertising Cookies. These cookies allow us and third-party services to show more relevant advertising to people who visit the Site (and other websites) by showing you advertisements that are based on your browsing patterns and the way you interact with our Site and others. Please review the section below on interest-based advertising to learn more about third-party advertising cookies in particular.
How can you manage cookies?
You may stop your browser from accepting cookies altogether by changing your browser’s cookie settings. You can usually find these settings in the “options” or “preferences” menu of your browser.
How does the Site use interest-based advertising?
The Site enables third-party tracking mechanisms (including cookies) to collect information about you and your computing devices for use in online interest-based advertising. For example, third parties, such as Facebook, may use the fact that you visited our Site to target online ads to you about our services. In addition, our third-party advertising networks might use information about your use of our services to help target advertisements based on your mobile activity in general. For information about interest-based advertising practices, including privacy and confidentiality, visit the Network Advertising Initiative website or the Digital Advertising Alliance website.
The use of online tracking mechanisms by third parties is subject to those third parties’ own privacy policies, and not this policy. If you prefer to prevent third parties from setting and accessing cookies on your computer or other device, you may set your browser to block cookies. Additionally, you may remove yourself from the targeted advertising of companies within the Network Advertising Initiative by opting out here, or of companies participating in the Digital Advertising Alliance by opting out here. Although our Site currently does not respond to “do not track” browser headers, you can limit tracking through these third-party programs and by taking the other steps discussed above.
You may also opt-out of interest-based by adjusting the advertising preferences on your mobile device (for example, in iOS, visit Settings > Privacy > Advertising > Limit Ad Tracking, and in Android, visit Settings > Google > Ads > Opt out of interest-based ads). Additionally, you may opt out for companies that participate in the Digital Advertising Alliance's AppChoices tool by downloading it here and following the instructions in the app.
How can you contact us?
If you have any questions about this Policy, you may contact us at team@trycompa.com. You may also visit our Privacy Policy to learn more about our privacy practices.
.webp)
.webp)
.webp)